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MEMORY REWRITING SYSTEM FOR VEHICLE CONTROLLER 



FIELD OF THE INVENTION 
5 The present invention relates to a memory rewriting system 

for rewriting data stored in a memory of a vehicle controller 
with another data transferred from an external rewriting 
device . 

10 BACKGROUND OF THE INVENTION 

Vehicles are subjected to various types of control by 
an electronic control unit (hereafter referred to as "ECU") . 
Such control includes engine - related control for an air fuel 
ratio, fuel injection amount, and emission as well as 

15 body-related control for a power window, an air bag, and. an 
ABS . The ECU provides various types of control for the vehicle 
based on current conditions and traveling status of the vehicle 
sensed by various sensors mounted on the vehicle. 

20 On the other hand, the vehicle may include an anti- theft 

system. In general, the anti-theft system electronically 
checks if an ignition key used by a driver to start the engine 
is authentic. If it is determined that the key is authentic, 
the anti -theft system transfers a signal for permitting 

25 vehicle operation to the ECU. On the other hand, if it is 
determined that the ignition key is not authentic, the driver 
is judged to be not an authorized person and cannot operate 
the vehicle. Thus, until the permission signal is received, 



1/29 



mm 



Q00013US 



the ECU does not allow the engine to start by, for example, 
stopping fuel injection. 

The ECU comprises a central processing unit (CPU) , a ROM 
5 (Read Only Memory ) that stores programs and data to be executed, 
a RAM (Random Access Memory) which provides a work area for 
execution and which stores results of computation, and an I/O 
interface for receiving signals from various sensors and 
transmitting control signals to various parts of the engine. 

10 

The ROM often includes a rewritable memory such as a flash 
memory, anEEPROM, or an EPROM to allow a program or data therein 
to be rewritten. Japanese Patent Application Laid-Open No. 
63-223901 describes a method for changing a program stored 
15 in the EEPROM of the ECU in response to a request from an external 
device with the ECU being mounted on the vehicle. 

Such a function of changing a program or data stored in 
a ROM of the ECU makes it necessary to protect them from access 

20 from an external device, thus preventing a user or other third 
parties from rewriting a program or data stored in the ROM 
without proper authorization. Japanese Patent Application 
Laid-Open No. 3-238541 describes a vehicle controller for 
determining that a program or data in a ROM of the ECU is tampered 

2 5 using a check data mechanism . According to the mechanism, check 
data based on data stored in the ROM are stored beforehand. 
After shipment of the vehicle, the ECU creates new check data 
based on the data stored in the ROM. The ECU then compares 
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the new check data with the previously stored check data, 
determines that the data have been tampered if they are unequal 
and turns on the alarm light. 

A key for releasing the above-mentioned security feature 
is known only to a manufacturer of a rewriting device under 
contract to the automobile manufacturer. Thus, only the 
rewriting device authorized by the automobile manufacturer 
can use the "key" and change the data stored in the ROM of 
the ECU of that automobile. 

A typical procedure for changing a program in the ROM 
will be described in brief. The above-mentioned key is 
typically expressed by a certain function, which is provided 
both in the rewriting device and in the ECU. The rewriting 
device is connected to the ECU and then uses its own function 
(i.e., key) to calculate a function value for an arbitrary 
numerical value transmitted from the ECU. The rewriting 
device then transfers the function value to the ECU. At the 
same time , the ECU uses its own function (i.e. , key) to calculate 
a function value for the same numerical value . The ECU compares 
the function value received from the rewriting device with 
the function value determined by itself. If they are equal, 
the ECU releases the security feature. Thus, the rewriting 
device is permitted to rewrite data stored in the ROM. If they 
are unequal, then the rewriting device is judged to be not 
authentic because the rewriting device and the ECU have 
different functions (keys) . Consequently, the security 
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feature is not released and the rewriting device cannot rewrite 
the data stored in the ROM. 

The key for releasing the security feature, however, is 
5 conventionally stored in a non-rewritable area of the ROM in 
the ECU, so that it is impossible to use the rewriting device 
to change the key after the vehicle has been shipped. Thus, 
if the key is accidentally divulged to a user or another third 
party who is not authorized, a rewriting device other than 
10 the authorized one can rewrite the key in the ROM, thereby 
breaking the security feature. 

On the other hand, if the vehicle includes an anti- theft 
system and if a program used to operate the anti -theft system 
15 is rewritten, then the anti - theft system would be invalidated . 
Accordingly, a system for rewriting a program or data stored 
in the ROM requires higher security than that for the anti - theft 
system . 

2 0 SUMMARY OF THE INVENTION 

An object of the present invention is to provide a memory 
rewriting system for a vehicle controller which enables, even 
after shipment of the vehicle, changing of a key for releasing 
25 a security feature that prevents a program or data stored in 
the ROM of the ECU from being tampered. Even if the key has 
been divulged to a third party who is not authorized, the 
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manufacturer can use the rewriting device to change the key, 
thus enabling the security feature to be easily recovered. 



Another object of the present invention is to provide 
5 a memory rewriting system for a vehicle controller which can 
operate in cooperation with an anti- theft system. 



According to one aspect of the invention, a vehicle 
controller comprising a rewritable memory is provided. The 

10 rewritable memory stores first security data that is used to 
determine whether rewriting to the rewritable memory is 
permitted. The vehicle controller is configured, in response 
to receipt of new security data from an external rewriting 
device, to delete the first security data, and to write the 

15 new security data into the rewritable memory. The rewritable 
memory can be implemented in a non-volatile memory such as 
a flash memory, EPROM , and EEPROM. Thus, the security feature 
can be easily recovered by rewriting the security data stored 
in the rewritable memory, preventing illegal rewriting from 

20 spreading even if the security data has been divulged to a 
third party. 



In one embodiment of the invention, the vehicle controller 
also comprises a non - rewri table memory, in which a program 
25 for deleting the first security data and writing the new 
security data is stored . Thus , a program that rewrites security 
data is prevented from tampering. 
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In another embodiment of the invention, the rewritable 
memory and the non - rewritable memory are implemented in a 
single memory. 



5 In another embodiment of the invention, an anti- theft 

system is connected to the vehicle controller. In this case, 
rewriting to the rewritable memory is permitted if the 
anti-theft system permits an operation as to the vehicle. 

10 According to another aspect of the invention, a rewriting 

device for rewriting a rewritable memory included in a vehicle 
controller is provided . The rewriting device comprises amemory 
for storing new security data and a communication means for 
transferring the new security data. The transferred new 

15 security data is written into the rewritable memory. The new 
security data written in the rewritable memory is used to 
determine whether rewriting to the rewritable memory is 
permitted. The rewriting device provides an user interface 
that enables a user to create the new security data. Moreover, 

20 the controller can assemble data blocks from the new security 
data. Each data block includes a program code field for partial 
program code of the new security data and an address field 
for a leading address of the rewritable memory in which the 
partial program code is to be stored. The communication means 

25 transfers the data blocks via serial communication. 

In one embodiment of the invention, the rewriting device 
further issues a request to the vehicle controller to delete 
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the first security data and write the transferred new security 
data into the rewritable memory. 



According to another aspect of the invention, the 
5 rewriting device stores second security data. The vehicle 
controller compares a first security data stored in a 
rewritable memory mounted therein with the second security 
data transferred from the rewriting device. The vehicle 
controller permit the rewriting device to rewrite to the 
10 rewritable memory if the first security data matches the 
second security data. 

In one embodiment of the invention, the first security 
data and the second security data have the same function. The 

15 rewriting device includes a program to calculate a first 
function value for a number based on the function of the first 
security data. The vehicle controller calculates a second 
function value for the number based on the function of the 
second security data. The vehicle controller compares the 

2 0 first function value with the second function value transferred 
from the rewriting device . If the first function value is equal 
to the second function value, the vehicle controller permits 
the rewriting device to rewrite to the rewritable memory. 



25 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a view showing an outline of a memory rewriting 
system according to one embodiment of the present invention; 
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FIG. 2 is a block diagram showing the entire memory 
rewriting system according to one embodiment of the present 
invention ; 



5 a CPU of the ECU in the memory rewriting system according to 
one embodiment of the present invention; 

FIG. 4 is a view showing an operational procedure of the 
memory rewriting system according to one embodiment of the 
present invention; 
10 FIG. 5 is an authentication procedure executed by the 

memory rewriting system according to one embodiment of the 
present invention ; 

FIG. 6 is a flow chart showing a process for releasing 
security executed by the rewriting device of the memory 
15 rewriting system according to one embodiment of the present 
invention; 

FIG. 7 is a flow chart showing a process for releasing 
security executed by the ECU of the memory rewriting system 
according to one embodiment of the present invention; 
20 FIG. 8 is a flow chart showing a process for rewriting 

executed by the rewriting device of the memory rewriting system 
according to one embodiment of the present invention; and 
FIG. 9 is a flow chart showing a process for rewriting 
executed by the ECU of the memory rewriting system according 
25 to one embodiment of the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 




FIG. 3 is a view showing examples of a form of a ROM and 



8/29 



Q00013US 



The present invention for rewriting a security program 
stored in a non-volatile memory of a vehicle controller will 
be described referring to attached drawings. The present 
invention, however, is not limited to the system for rewriting 
5 the security program but is applicable to various systems for 
rewriting data stored in a non-volatile memory. 

FIG. 1 shows an outline of a memory rewriting system 
according to one embodiment of the present invention. The 

10 memory rewriting system comprises an electronic control unit 
(ECU) 10 mounted on a vehicle 1 and a rewriting device 11. 
The rewriting device 11 is authorized by the manufacturer of 
the vehicle 1. The ECU 10 comprises a rewritable ROM (not 
shown) . As shown in the figure, when the rewriting device 11 

15 is connected to the ECU 10 and some appropriate operation to 
the rewriting device 11 is performed, a security feature for 
preventing a program or data stored in the ROM of the ECU 10 
from being rewritten without proper authorization is released. 
Thus, the rewriting device is allowed to rewrite the program 

20 or data stored in the ROM. 

Rewriting is executed via serial communication between 
the ECU 10 and the rewriting device 11. A user can send data 
for rewriting to the ECU 10 by operating buttons on the 
25 rewriting device 11 and/or interacting with a display screen 
provided on the rewriting device 11. The rewriting device, 
however, is not limited to the form shown in the figure, but 
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may be of another form having a protocol that enables 
communication with the ECU 10. 

FIG. 2 is a functional block diagram showing the entire 
5 memory rewriting system according to one embodiment of the 
present invention. As described above, the memory rewriting 
system comprises the ECU 10 mounted on the vehicle and the 
rewriting device 11. The rewriting device 11 is provided 
outside the ECU 10 and connected thereto via serial 
10 communication. Alternatively, parallel communication may be 
used between the rewriting device 11 and the ECU 10. 

The ECU 10 comprises a central processing unit 14 
(hereafter referred to as a "CPU") including a microcomputer 

15 and associated circuit elements, ROMs 16 and 18 which are 
non-volatile memories and which store programs and data, a 
RAM 37 (Random Access Memory) which provides a work area for 
execution and which stores results of computations, and an 
I/O interface 38 for receiving signals from various sensors 

20 39 and transmitting control signals to various parts of the 
engine. Signals from various sensors 39 include an engine 
rotation speed (Ne) , an engine water temperature (Tw) , an 
intake air temperature (Ta) , a battery voltage (VB) , and an 
ignition switch (IGSW) . Thus, based on a signal input from 

25 the I/O interface 38, the CPU 14 invokes a control program 
and data from the ROMs 16 and 18 to execute computations, and 
outputs the results to various parts of the vehicle via the 
I/O interface 38 to control various functions of the vehicle. 
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The ECU 10 also comprises an interface 12. The interface 
12 has a protocol for communication with the rewriting device 
11 to enable serial communication between the ECU 10 and the 
rewriting device 11. 

The rewritable ROM 16 is a memory from and to which stored 
data can be deleted and new data can be written The rewritable 
ROM 16 can be, for example, a flash memory or an EEPROM. The 
non- rewritable ROM 18 can be implemented by specifying a part 
of the memory area of the rewritable ROM as an unchangeable 
area, or by using a mask ROM for which data are fixed during 
manufacturing and from or to which data can subsequently not 
be deleted or written. Alternatively, the ROM 18 can be 
implemented with a PROM to which data can be written only once . 

The ROMs 16 and 18 can be implemented as two memories 
that are physically separated. Alternatively, the memory area 
of a single memory may be divided into two areas so that one 
of the areas is\used as a rewritable area, while the other 
is used as a non - rewritable area . In the latter case , forexample, 
after a non-rewritabre area in which a program or the like 
is stored has been specified in the EEPROM, a rewritable area 
is specified with a start \ddress and an end address in the 
unfilled space of the memory^ 

Now, examples of a form of the ROMs 16 and 18 and CPU 
will be described with reference to FIG. 3. In this figure, 
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the ROMs 16 and 18 are implemented using a flash memory. FIG. 
3 (a) shows a form in which the flash memory is provided 
separately from the CPU. When a rewriting operation mode is 
entered through communication with the rewriting device 11, 
5 the CPU receives data from the rewri ting device 11 , and invokes 
a program for rewriting the flash memory with the received 
data . 

On the other hand , FIG. 3(b) shows a form having a built - in 
10 flash memory that constitutes one chip in conjunction with 
the CPU. When the rewriting operation mode is entered in 
response to a signal from the rewriting device, data 
transferred from the rewriting device is automatically written 
to the flash memory using a function incorporated in the CPU. 
15 The memory rewriting system according to the present invention 
is applicable to either of the above forms. 

Referring back to FIG. 2, the rewritable ROM 16 stores 
a security function f 2 . The security function f 2 realizes a 
20 security feature for preventing the data stored in the ROM 
16 from being illegally rewritten. 

The non- rewritable ROM 18 stores programs for 
implementing an authentication part 31, a random number 
25 generator 33, and a rewriting part 35. The authentication 
part 31 is responsive to a request for releasing security from 
the rewriting device 11, and determines whether the rewriting 
device 11 is authentic using the security function f 2 and a 
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random number R which is generated by the random number 
generator 33 . Using the random number R enables the security 
feature to be enhanced. If it is determined that the rewriting 
device is authentic, the authentication part 31 releases the 
security feature. 

After that, the rewriting part 35 deletes the security 
function f 2 and receives a new security function f 3 from the 
rewriting device 11 to write it into the ROM 16. The security 
function f 2 may be physically or logically deleted. The 
logically deletion may be implemented using a deletion flag. 
More specifically, the security function f 2 with the deletion 
flag being set is considered to be deleted in subsequent 
processes . 

The rewriting device 11 has a security function f x and 
a new security function f 3 . The security function f i implements 
the security feature in cooperation with the security function 
f 2 stored in the ROM 16 of the ECU 10. If the security function 
f 2 has not been changed by any third person, the security 
function f x of the rewriting device 11 is the same as the 
security function f 2 of the ECU 10. In another embodiment, 
the security functions fi and f 2 have a certain relationship. 
If the relationship is kept, it is determined that the security 
functions f 2 has not been tampered. 

The new security function f 3 is prepared prior to rewriting 
the security function f 2 stored in the ROM 16 . The new security 
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function f 3 can be created by making certain changes to the 
current security functions fi. According to one example, the 
new security function f 3 is a function that has a different 
expression from the security functions f x . According to 
another example, the new security function f 3 is a function 
that has different constant (s) in the function expression from 
the security functions fi. For example, when the functions 
fx and f 2 are f x = f 2 = A x R + B (A = 10 and B = 5 ) , the new 
security function f 3 is set such that f 3 = A + R x B (A = 10 
and B = 5) . Alternatively, the values of the constants A and 
B of the functions fi and f 2 may be changed to 5 and 10, 
respectively . 

The rewriting device 11 also comprises a security release 
request part 21, a rewriting request part 23, and a data block 
assembling part 25, which may be stored in a memory of the 
rewriting device 11 as programs. The security release request 
part 21 uses the security functions fi to request the ECU 10 
to release the security feature. 



The data block assembling part 25 assembles data blocks 
suitable for serial communication from program code of the 
security function f 3 . Each data block includes an address field 
and a program code field. The program code field contains a 
partial program code and the address field contains a leading 
address of an area in which the partial program code is to 
be stored . The data block assembling part 25 divides the program 
code o f the se curity function f 3 into a plurality of pieces, 
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each of which having a certain length (for example, 8 bits) . 
Each piece of the program code, or each partial program code, 
is placed in the program code field of a data block. A leading 
address of each partial program code is placed in the address 
5 field of the data block. Thus, the data block is assembled. 

The rewriting request part 23 serially transfers to the 
ECU 10 the data blocks representative of the new security 
function f 3 assembled by the data block assembling part 25 
10 after the security feature has been released. 

An anti- theft system 81 is connected to the ECU 10 so 
that the memory rewriting system can exchange information with 
the anti -theft system 81. The anti -theft system 81 extracts 

15 an electronic code from an ignition key inserted into a key 
cylinder when the engine is to be started and compares the 
electronic code with a predetermined authorized code to check 
whether the inserted ignition key is authentic. If it is 
determined that the ignition key is authentic, the anti- theft 

20 system 81 transfers a signal indicative of a permission for 
engine start to the ECU 10 via an I/O interface 38. Upon 
receiving this permission signal, the ECU 10 set an engine 
start permission flag which may be stored in the RAM 37 or 
ROM 16, and starts the engine. If it is determined that the 

25 inserted ignition key is not authentic, the permission signal 
is not output . Accordingly, the ECU 10 cannot start the engine . 
Although the anti - theft system 81 and the ECU 10 are separately 
shown in FIG . 2 , some of the functions of the anti - theft system 
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81 maybe included in the ECU 10 . For example, the authorization 
of the ignition key may be performed by the ECU 10. 



The operation of the memory rewriting system shown in 
5 FIG. 2 is described with reference to FIGS. 4 and 5. Rewriting 
operation is initiated, for example, when an operation button 
of the rewriting device 11 is pressed after the rewriting device 
11 has been connected to the ECU 10. Alternatively, the 
rewriting operation may be initiated by operating the ECU 10 . 

10 

At step 41, the security release request part 21 of the 
rewriting device 11 transfers a signal indicative of a request 
for releasing security to the ECU 10. The ECU 10 responds to 
this signal to start an authentication process for confirming 
15 that the authorized rewriting device is connected thereto. 
The authentication process will be described below referring 
to FIG. 5. 

If the ECU authenticates the rewriting device 11 and 
20 permits it to rewrite to the rewritable ROM 16, the process 
proceeds to step 42. The rewriting request part 23 of the 
rewriting device 11 transfers a signal indicative of a start 
of rewriting to the ECU 10, and the rewriting part 35 of the 
ECU 10 returns a start permission signal when ready for 
25 rewriting. At step 43, the rewriting device 11 transfers a 
request for shifting to a rewriting operation mode to the ECU 
10, and then the rewriting part 35 of the ECU 10 executes a 
process for shifting to the rewriting operation mode. At step 
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44, the rewriting request part 23 queries the ECU 10 if the 
shift of the operation mode has completed. The rewriting part 
35 transfers a signal indicative of a completion of the shift 
to the rewriting device 11 if the shift has been completed. 

At step 45, the rewriting request part 23 requests the 
security function f 2 stored in the rewritable ROM 16 to be 
deleted, and in response to this, the rewriting part 3 5 deletes 
the security function f 2 from the ROM 16. 

At this point, in the rewriting device 11 , the new security 
function f 3 has been prepared . The function f 3 has been provided 
by the data block assembling part 25 as serial data blocks 
for transmission to the ECU 10. The security function f 3 is 
typically created before the rewriting device 11 transfers 
the request for releasing security or the notification for 
starting of rewriting to the ECU 10. This preparation for the 
new security function f 3 , however, may be carried out 
immediately before the step 45. 

The new security function f 3 may be prepared, for example, 
selecting one from a number of functions previously saved in 
the rewriting device 11. Alternatively, a user may create the 
new security function f 3 by manipulating the rewriting device 
11 . 

At step 46, the rewriting request part 23 transfers the 
first one of the data blocks representative of the new security 
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function f 3 to the ECU 10 together with a signal indicative 
of a request for writing to the rewritable ROM 16 . The rewriting 
part 35 receives the data block from the rewriting device 11 
and writes a partial program code included in the data block 
5 to the rewritable ROM 16. The partial program code is written 
in an address that is indicated by the address field of the 
data block. Once writing of the partial program code has been 
completed, the rewriting part 35 transfers a notification of 
the completion of writing to the rewriting device 11. In 
10 response to this, the rewriting device 11 transfers a next 
data block to the ECU 10. This step 46 is repeated until all 
the program code of the security function f 3 is written into 
the ROM 16. 



15 Once writing of all the program code has completed, the 

rewriting request part 23 transfers a request for releasing 
the rewriting operation mode to the ECU 10 (step 47). In 
response to this, the rewriting part 35 releases the rewriting 
operation mode . Since the rewriting device 11 has changed the 

20 security function stored in the ROM 16 to f 3/ the function 
used by the rewriting device 11 is also set to f 3 so that the 
security feature can subsequently be implemented by means of 
the security function f 3 . After the new security function f 3 
has been written to the ROM 16 , the preceding security function 

25 fi may be deleted. 



FIG. 5 shows an example of the authentication process 
corresponding to step 41 in FIG. 4. At step 51, the security 



18/29 




Q00013US 



release request part 21 of the rewriting device 11 requests 
the ECU 10 to transfer an arbitrary number R. In response to 
this, the authentication part 31 of the ECU 10 is invoked. 
The authentication part 31 invokes the random number generator 
5 33 that generates random numbers. The authentication part 31 
arbitrarily selects the number R from the random numbers 
generated by the random number generator 33, and transfers 
the number R to the rewriting device 11 (step 52). 
Alternatively, a different mechanism may be used to set the 
10 arbitrary number R. The rewriting device 11 uses the security 
function fx already stored therein to determine the function 
value Kl of the function fi for the number R based on Kl = 
f i (R) (step 53) . 

15 On the other hand, the authentication part 31 of the ECU 

10 uses the security function f 2 stored in the rewritable ROM 
16 to determine a function value K2 based on K2 = f 2 (R) (step 
54). The security release request part 21 of the rewriting 
device 11 transfers the function value Kl to the ECU 10 (step 

20 55) . The authentication part 31 compares the function value 
Kl from the rewriting device 11 with the internally determined 
function value K2 (step 56) , and i~f they are equal, determines 
that the rewriting device 11 is authentic. Subsequently, the 
authentication part 31 checks whether the engine start 

25 permission flag stored in the RAM 37 is a value of one (step 
57) . If the permission flag is one, this means that the engine 
start permission signal has been output from the anti- theft 
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system 81 , and a signal indicative of a permission of rewriting 
is transferred to the rewriting device 11 (step 58). 

Thus, the security feature needs to be released for 
5 rewriting data stored in the rewritable ROM, so that the current 
security functions f x and f 2 are used to release the security 
feature. With the anti- theft system mounted in the vehicle, 
the security feature for the memory rewriting system is 
released only if the anti -theft system has been released, 
10 thereby preventing an illegal driver from rewriting data. 

FIG. 6 is a flow chart showing a process for releasing 
security executed by the rewriting device 11. At the step 61, 
the rewriting device 11 requests a number R from the ECU 10. 

15 The rewriting device 11 subsequently receives the number R 
from the ECU 10 (step 62) . Upon receiving the number R, the 
rewriting device 11 calculates the function value Kl for the 
number R using the security function f i already retained therein 
(step 63). Subsequently, the rewriting device 11 transfers 

20 the function value Kl to the ECU 10 (step 64) . 



FIG. 7 is a flow chart showing a process for releasing 
security executed by the ECU 10. The ECU 10 receives the 
request for the number R from the rewriting device 11. Upon 
25 receiving the request, the ECU 10 sets the number R from random 
numbers (step 72) and transfers it to the rewriting device 
11 (step 73) . The ECU then calculates the function value K2 
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for the number R using the security function f 2 already 
retained therein (step 74) . 

The ECU 10 receives the function value Kl from the 
rewriting device 11 (step 75) and compares the value Kl with 
the value K2 (step 76) . If they are equal, the ECU 10 checks 
whether the engine start permission flag is one (step 77) . 
If the flag is one, the process proceeds to step 78 to set 
a rewriting permission flag , thereby indicating that the 
rewriting device 11 is permitted for rewriting. If the values 
are unequal at step 76 or the engine start permission flag 
is not set to a value of one at step 77, then the rewriting 
permission flag is set to zero (step 79) to indicate that the 
rewriting device is not permitted for rewriting. 

FIG. 8 is a flow chart of a process for rewriting executed 
by the rewriting device 11. At step 81, the rewriting device 
11 transfers a request for rewriting to the ECU 10 . The request 
may actually include the notification for a start of rewriting, 
the request for shifting to the rewriting operation mode, and 
the like, as shown in FIG. 4. Upon receiving a permission of 
rewriting provided by the ECU 10 in response to the request 
for rewriting (step 82) , the rewriting device 11 creates data 
blocks of the new security function f 3 (step 83). The new 
security function f 3 can be arbitrarily created using the 
rewriting device 11 as described above. The rewriting device 
11 then transfers the data blocks representative of the new 
security function f 3 to the ECU 10 (step 84) . 
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FIG. 9 is a flow chart showing a process for rewriting 
executedby the ECU 10 . Upon receiving the request for rewriting 
from the rewriting device 11 (step91), the ECU 10 checks whether 
5 the rewriting permission flag is set to one (step 92) . If the 
flag is set to one, which means that the rewriting device 11 
has been proved to be authentic, then the ECU waits for the 
new security function f 3 transferred from the rewriting device 
11. In fact, processes such as shifting to the rewriting 
10 operation mode or deletion of the current security function 
:= f 2 from the rewritable ROM as shown in FIG. 4 can be executed 

^3 between steps 92 and 93, . 

l sis 

=C Subsequently, upon receiving the new security function 

=3 15 f 3 (step 93) , the ECU writes this function f 3 to the rewritable 

13 ROM 16. Thus, the security function f 2 , which has been stored 

3=4 in the rewritable ROM 16, is rewritten with the new security 
function f 3 . 

20 
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